the unfortunate reality of insecure libraries owasp libraries.pdf · what’s more secure: vulns or...
TRANSCRIPT
THE UNFORTUNATE REALITY
OF INSECURE LIBRARIES
Jeff Williams, CEO
OWASP AppSec DC
April 4, 2012
Warning • Nothing in the following presentation
or associated paper should be read
to imply that open source is any more
or less insecure than commercial
software.
• The authors are strong proponents of
open source and have contributed
many projects under open source
licenses, including two of the libraries
studied.
• Any attempt to claim otherwise after
seeing this warning will be subject to
public scorn and humiliation.
Stallman Clarification
This study is NOT ABOUT OPEN SOURCE. It’s about our infrastructure and old vulnerable software.
Security Alert!
3
OWASP Top Ten 2010 How Do I Prevent This? The primary recommendations are to establish all of the following: … 2. A process for keeping abreast of and deploying all new software updates and patches in a timely manner to each deployed environment. This needs to include all code libraries as well, which are frequently overlooked.”
We asked 2,550 developers…
1
10
100
1,000
10,000
100,000
1,000,000
10,000,000
100,000,000
The Study
Dataset Value
Libraries 31
Library Versions 1,261
Organizations 61,807
Downloads 113,939,358
Over half the
Global 500
Undercounted!
https://www.aspectsecurity.com/news/press/the-unfortunate-reality-of-insecure-libraries
The Libraries Spring MVC GWT Apache CXF Hibernate Java Servlet Apache Velocity Struts 1.x Apache Xerces Apache Axis Struts2 Java Server Pages Tiles Wicket Lift Tapestry Java Server Faces JAX-WS Grails Stripes JBoss Seam
Log4j Spring Security ESAPI
Apache Commons
Validator Hibernate Validator Apache Santuario Jasypt Apache Shiro BouncyCastle AntiSamy HDIV
Frameworks
Security
0
5,000
10,000
15,000
20,000
25,000
30,000
35,000
40,000
45,000
50,000
The Organizations
1403
Organizations
Using ESAPI
Who Is Building Libraries? ?
Trust Your Business to Your Libraries?
• Our open source team approved them
• They’re compiled!
• We control our software?
• Open source? Many eyes?
• We pentest?
• We patch?
• Static analysis?
The *real* vulnerability is how the flaw got in!
Blind Library Injection!
Adopting an unknown library into a critical application and running it with full trust where it can do absolutely anything!
Security Alert!
Struts2 Remote Command Execution
1,121,000
vulnerable
downloads
10,700
organizations
Spring Expression Language Injection
2,700,000
vulnerable
downloads
43,700
organizations
What About Malicious Code?
Are you sure you know what’s In that jar file?
https://www.aspectsecurity.com/uploads/2012/02/BHUSA09-Williams-EnterpriseJavaRootkits-PAPER.pdf
Dan Geer Quote
“Be very careful where the code you use comes from” @OWASP AppSec DC 2012
Security Alert!
Transformation
80% Libraries But library use
is growing at
a staggering
rate
The amount of custom code
in an application hasn’t changed
very much in the past 10 years.
20% Custom Code
Dependency Management
The Ripple Effect
Hundreds are
still tainted!
Trapped!
What’s In Central?
It’s Not a Popularity Contest
62% 72%
38% 28%
Not Popular Popular
Contains Known Vulnerabilities
No Known Vulnerabilities
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
No Known Vulnerabilities Contains Known Vulnerabilities
License Doesn’t Matter (I Think)
0
10
20
30
40
50
60
1 5 9 13 17 21 25
Po
pu
lari
ty o
f V
ers
ion
Do
wn
load
ed
Age of Library in Years 1 YEAR 2 YEARS 3 YEARS 4 YEARS 5 YEARS 6 YEARS 7 YEARS
Are We
Downloading
Old Versions?
7 years old!
1
10
100
1,000
10,000
100,000
1,000,000
10,000,000
100,000,000
Actual Vulnerable
Downloads
17,666,703
vulnerable
downloads of
GWT
29,800,000
vulnerable
downloads
total
What’s More Secure: Vulns or No Vulns?
Library A Library B
CVE-2007-1234
OSVDB 12345
OSVDB 31337
CVE-2009-5678
Extrapolate 31 libraries to 680,000 vulns in Central (Typical vuln rates are much higher)
“The best indicator of a library’s future security is a
culture that places value on security and clear evidence of broad and rigorous security analysis”
Global 500
0%
20%
40%
60%
80%
100%
Global 500 Smaller Organizations
Global 500
19.2
All the Rest
8.5
How Many of These 31 Libraries Do They Use?
Total 2,800,000
downloads with
known vulns! Global 100
financials had
567,000
vulnerable
downloads
Directory Library Current All Versions /target/swp/WEB-INF/lib activation-1.1.jar 1.1 1.0.2, 1.1, 1.1-rev-1, 1.1.1
/target/swp/WEB-INF/lib ant-1.7.0.jar 1.7.0 1.7.0, 1.7.1, 1.8.0, 1.8.1, 1.8.2, 1.8.3
/target/swp/WEB-INF/lib ant-launcher-1.7.0.jar 1.7.0 1.7.0, 1.7.1, 1.8.0, 1.8.1, 1.8.2, 1.8.3
/target/swp/WEB-INF/lib antisamy-1.4.3.jar 1.4.3 1.4.2, 1.4.3, 1.4.4, 1.4.5
/target/swp/WEB-INF/lib antlr-2.7.7.jar 2.7.7 2.7.1, 2.7.2, 2.7.4, 2.7.5, 2.7.6rc1, 2.7.6, 2.7.7, 3.0b5, 3.0ea8, 20030911
/target/swp/WEB-INF/lib antlr-3.4.jar 3.4 3.1, 3.1.1, 3.1.2, 3.1.2-1, 3.1.3, 3.2, 3.3, 3.4-beta3, 3.4-beta4, 3.4
/target/swp/WEB-INF/lib antlr-runtime-3.4.jar 3.4 3.1, 3.1.1, 3.1.2, 3.1.2-1, 3.1.3, 3.2, 3.3, 3.4-beta3, 3.4-beta4, 3.4
/target/swp/WEB-INF/lib aopalliance-1.0.jar
/target/swp/WEB-INF/lib asm-3.3.1.jar 3.3.1 2.2.1, 2.2.2, 2.2.3, 3.0, 3.0_RC1, 3.1, 3.2, 3.3, 3.3.1, 20041228.180559
/target/swp/WEB-INF/lib aspect-spring-esapi-ldap-
1.0.0.jar
/target/swp/WEB-INF/lib aspectjrt-1.6.12.jar 1.6.12 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.6.9, 1.6.10, 1.6.11, 1.6.12
/target/swp/WEB-INF/lib aspectjweaver-1.6.12.jar 1.6.12 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.6.9, 1.6.10, 1.6.11, 1.6.12
/target/swp/WEB-INF/lib avro-1.5.1.jar 1.5.1 1.4.1, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.0, 1.6.1, 1.6.2, 1.6.3
/target/swp/WEB-INF/lib axiom-api-1.2.12.jar 1.2.12 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.2.10, 1.2.11, 1.2.12
/target/swp/WEB-INF/lib axiom-dom-1.2.11.jar 1.2.11 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.2.10, 1.2.11, 1.2.12
/target/swp/WEB-INF/lib axiom-impl-1.2.12.jar 1.2.12 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.2.10, 1.2.11, 1.2.12
/target/swp/WEB-INF/lib axis-1.3-atlassian-1.jar
/target/swp/WEB-INF/lib axis-jaxrpc-1.3.jar 1.3 1.2-alpha-1, 1.2-beta-2, 1.2-beta-3, 1.2-RC1, 1.2-RC2, 1.2-RC3, 1.2, 1.2.1, 1.3,
1.4
/target/swp/WEB-INF/lib axis-saaj-1.3.jar
/target/swp/WEB-INF/lib axis-wsdl4j-1.5.1.jar 1.5.1 1.2-beta-2, 1.2-beta-3, 1.2-RC1, 1.2-RC2, 1.2-RC3, 1.2, 1.2.1, 1.3, 1.5.1
/target/swp/WEB-INF/lib axis2-adb-1.5.5.jar 1.5.5 1.4.1, 1.5, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.6.0, 1.6.1
/target/swp/WEB-INF/lib axis2-kernel-1.5.5.jar 1.5.5 1.4.1, 1.5, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.6.0, 1.6.1
/target/swp/WEB-INF/lib axis2-transport-http-
1.5.5.jar
1.5.5 1.5, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.6.0, 1.6.1
/target/swp/WEB-INF/lib axis2-transport-local-
1.5.5.jar
1.5.5 1.5, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.6.0, 1.6.1
/target/swp/WEB-INF/lib backport-util-concurrent-
3.1.jar
3.1 1.0, 1.1_01, 2.0_01_pd, 2.1, 2.2, 3.0, 3.1
Library
Analysis
Using Maven The following dependencies in
Dependencies are using the newest
version:
com.sun.jmx:jmxri .............................................. 1.2.1
commons-el:commons-el ............................................ 1.0
dbunit:dbunit .................................................... 2.1
fitnesse:fitnesse ........................................... 20050731
jakarta:jakarta-oro ............................................ 2.0.8
javax.jms:jms .................................................... 1.1
javax.sql:rowset ............................................... 1.0.1
jdom:jdom ........................................................ 1.0
junit:junit ..................................................... 4.10
junit:junit-dep ................................................. 4.10
oracle:ojdbc6-11g ......................................... 11.2.0.2.0
…
The following dependencies in
Dependencies have newer versions:
antlr:antlr ........................................ 2.7.5 -> 20030911
cglib:cglib-nodep ....................................... 2.1 -> 2.2.2
com.hp.hpl.jena:jena .................................... 2.3 -> 2.6.4
com.sun.xml.bind:jaxb-impl .......................... 2.1.9 -> 2.2.4-1
commons-codec:commons-codec ............................... 1.3 -> 1.6
commons-collections:commons-collections ................. 3.1 -> 3.2.1
commons-dbcp:commons-dbcp ............................... 1.2.1 -> 1.4
jfree:jfreechart ..................................... 1.0.2 -> 1.0.12
log4j:log4j ......................................... 1.2.14 -> 1.2.16
log4j:log4j ......................................... 1.2.15 -> 1.2.16
org.apache.geronimo.specs:geronimo-servlet_2.4_spec ... 1.0.1 -> 1.1.1
…
Add to your POM
<reporting>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>1.3.1</version>
<reportSets>
<reportSet>
<reports>
<report>dependency-updates-report</report>
<report>plugin-updates-report</report>
<report>property-updates-report</report>
</reports>
</reportSet>
</reportSets>
</plugin>
</plugins>
</reporting>
Action Plan • Scan for libraries
• Create tracking spreadsheet
Immediate: Inventory
• Purge unnecessary libraries
• Code review
Short Term: Analyze
• Centralize library control
• Consider Java sandbox
Tactical: Control
• Manage your libraries
• Get security intelligence
Monitor
